BUG/MAJOR: http: don't read past buffer's end in http_replace_value
The function http_replace_value use bad variable to detect the end
of the input string.
Regression introduced by the patch "MEDIUM: regex: Remove null
terminated strings." (c9c2daf2)
We need to backport this patch int the 1.5 stable branch.
WT: there is no possibility to overwrite existing data as we only read
past the end of the request buffer, to copy into the trash. The copy
is bounded by buffer_replace2(), just like the replacement performed
by exp_replace(). However if a buffer happens to contain non-zero data
up to the next unmapped page boundary, there's a theorical risk of
crashing the process despite this not being reproducible in tests.
The risk is low because "http-request replace-value" did not work due
to this bug so that probably means it's not used yet.
(cherry picked from commit 534101658d6e19aeb598bf7833a8ce167498c4ed)
diff --git a/src/proto_http.c b/src/proto_http.c
index 705f3b4..f53b5e2 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -3206,7 +3206,7 @@
/* look for delim. */
p_delim = p;
- while (p_delim < p + len && *p_delim != delim)
+ while (p_delim < val + len && *p_delim != delim)
p_delim++;
if (regex_exec_match2(re, p, p_delim-p, MAX_MATCH, pmatch)) {
@@ -3230,7 +3230,7 @@
return -1;
/* end of the replacements. */
- if (p_delim >= p + len)
+ if (p_delim >= val + len)
break;
/* Next part. */